PT-2022-19295 · Apache · Apache Jena
Amit Laish
+2
·
Published
2022-05-05
·
Updated
2023-10-25
·
CVE-2022-28890
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Jena versions prior to 4.4.0
Description
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects versions prior to 4.4.0, excluding Apache Jena 4.2.x and 4.3.x, which do not allow external entities.
Recommendations
For Apache Jena versions prior to 4.4.0, update to a version that is not affected by this issue.
As a temporary workaround, consider disabling the RDF/XML parser until a patch is available.
Restrict access to external DTDs to minimize the risk of exploitation.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Jena